Commit Graph

113 Commits

Author SHA1 Message Date
Ryan Richard
b6f0dc3ba7 Fix conflicts caused from rebasing main into multiple IDPs branch 2023-09-11 11:15:40 -07:00
Ryan Richard
0a21cb6d08 Replace more pointer.String() with the new ptr.To() 2023-09-11 11:14:06 -07:00
Ryan Richard
e6c78facfc Fix expectations in FederationDomains status test for old Kube versions
Also try to avoid flakes by using RetryOnConflict when calling Update
on the FederationDomain.
2023-09-11 11:14:05 -07:00
Ryan Richard
01ab7758d8 Add e2e test for rejecting auth using identity transformation policy 2023-09-11 11:14:05 -07:00
Ryan Richard
92bf826ec5 rename a local variable in an integration test 2023-09-11 11:14:05 -07:00
Ryan Richard
446384a7f5 add an e2e test for a FederationDomain with multiple IDPs and transforms 2023-09-11 11:14:05 -07:00
Ryan Richard
5341322071 add integration test for FederationDomain status updates
- Also fix small bug in controller where it used Sprintf wrong
- Rename WaitForTestFederationDomainStatus test helper to
  WaitForFederationDomainStatusPhase
2023-09-11 11:14:05 -07:00
Ryan Richard
40dcc8a7f1 Update integration tests for new FederationDomain phase behavior
- Refactor testlib.CreateTestFederationDomain helper
- Call testlib.WaitForTestFederationDomainStatus after each integration
  test creates an IDP and expects the FederationDomain to become ready
- Create an IDP for some tests which want the FederationDomain to be
  ready but were previously not creating any IDP
- Expect the new FederationDomain condition type
  "IdentityProvidersFound" in those tests where it is needed

Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-09-11 11:14:05 -07:00
Ryan Richard
0b408f4fc0 Change FederationDomain.Status to use Phase and Conditions 2023-09-11 11:14:02 -07:00
Ryan Richard
e4f43683d4 fix more integration tests for multiple IDPs 2023-09-11 11:12:27 -07:00
Joshua Casey
12f18cbed8 Inline and remove testutil.TempDir 2023-09-06 14:52:01 -05:00
Ryan Richard
4512eeca9a Replace agouti and chromedriver with chromedp across the whole project 2023-08-01 11:27:09 -07:00
Ryan Richard
f302e71b0f Fix some integration tests' handling of groups to work with Okta 2022-09-26 12:40:07 -07:00
Ryan Richard
8d8f980e86 Merge branch 'main' into dynamic_clients 2022-08-26 11:35:35 -07:00
Ryan Richard
c6c2c525a6 Upgrade the linter and fix all new linter warnings
Also fix some tests that were broken by bumping golang and dependencies
in the previous commits.

Note that in addition to changes made to satisfy the linter which do not
impact the behavior of the code, this commit also adds ReadHeaderTimeout
to all usages of http.Server to satisfy the linter (and because it
seemed like a good suggestion).
2022-08-24 14:45:55 -07:00
Ryan Richard
22fbced863 Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
  client does not need to request the username or groups scopes for them
  to be granted. For dynamic clients, the usual OAuth2 rules apply:
  the client must be allowed to request the scopes according to its
  configuration, and the client must actually request the scopes in the
  authorization request.
- If the username scope was not granted, then there will be no username
  in the ID token, and the cluster-scoped token exchange will fail since
  there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
  scopes in the scopes_supported list, and lists the username and groups
  claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
  put into kubeconfig files by "pinniped get kubeconfig" CLI command,
  and the default list of scopes used by "pinniped login oidc" when
  no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
  refresh will only be sent to the pinniped-cli client, since it is
  only intended for kubectl and it could leak the username to the
  client (which may not have the username scope granted) through the
  warning message text.
- Add the user's username to the session storage as a new field, so that
  during upstream refresh we can compare the original username from the
  initial authorization to the refreshed username, even in the case when
  the username scope was not granted (and therefore the username is not
  stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
  due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
  package.
- Change some import names to make them consistent:
  - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
  - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
    as "oidcapi"
  - Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 16:29:22 -07:00
Ryan Richard
57f8e18dbc Merge branch 'main' into dynamic_clients 2022-07-26 09:31:18 -07:00
Ryan Richard
c07cc6b8ec Update e2e_test.go for clusters which have ServerSideFieldValidation
Also update prepare-cluster-for-integration-tests.sh for new
kubectl version command options.
2022-07-25 17:25:21 -07:00
Margo Crawford
64cd8b0b9f Add e2e test for groups scope
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 13:41:22 -07:00
Margo Crawford
4d0c2e16f4 require groups scope to get groups back from supervisor
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 08:00:17 -07:00
Ryan Richard
ec533cd781 Skip some recently added integration tests when LDAP is unavailable
Also refactor to use shared test helper for skipping LDAP and AD tests.
2022-06-08 12:57:00 -07:00
Ryan Richard
cb8685b942 Add e2e test for PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW env var 2022-06-02 11:27:54 -07:00
Ryan Richard
aa732a41fb Add LDAP browser flow login failure tests to supervisor_login_test.go
Also do some refactoring to share more common test setup code in
supervisor_login_test.go.
2022-05-10 16:28:08 -07:00
Ryan Richard
ab302cf2b7 Add AD via browser login e2e test and refactor e2e tests to share code 2022-05-10 10:30:32 -07:00
Ryan Richard
a4e32d8f3d Extract browsertest.LoginToUpstreamLDAP() integration test helper 2022-05-09 15:43:36 -07:00
Ryan Richard
6e6e1f4add Update login page CSS selectors in e2e test 2022-05-05 13:56:38 -07:00
Margo Crawford
329d41aac7 Add the full end to end test for ldap web ui
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-05-05 08:49:58 -07:00
Margo Crawford
07b2306254 Add basic outline of login get handler
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-28 11:51:36 -07:00
Margo Crawford
eb1d3812ec Update authorization endpoint to redirect to new login page
Also fix some test failures on the callback handler, register the
new login handler in manager.go and add a (half baked) integration test

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-26 12:51:56 -07:00
Ryan Richard
bedf4e5a39 Try to avoid getting a second username prompt in a test in e2e_test.go 2022-03-22 14:23:50 -07:00
Ryan Richard
2715741c2c Increase a test timeout in e2e_test.go 2022-03-22 12:13:10 -07:00
Ryan Richard
d162e294ed Split up the context timeouts per test in e2e_test.go 2022-03-22 10:17:45 -07:00
Ryan Richard
e1e3342b3d Increase a test timeout to account for slower test on EKS in CI
The test takes longer on EKS because it has to wait about 2 minutes for
the EKS load balancer to be ready during the test.
2022-02-22 11:46:15 -08:00
Ryan Richard
c09daa8513 Merge branch 'main' into fix_int_test_macos 2022-02-16 11:09:11 -08:00
Monis Khan
b8202d89d9
Enforce naming convention for browser based tests
This allows us to target browser based tests with the regex:

go test -v -race -count 1 -timeout 0 ./test/integration -run '/_Browser'

New tests that call browsertest.Open will automatically be forced to
follow this convention.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-02-16 09:20:28 -05:00
Ryan Richard
1aa17bd84d Check for darwin before relaxing stderr vs stdout assertion in e2e test 2022-02-15 13:45:04 -08:00
Ryan Richard
b0c36c6633 Fix int test that was failing on MacOS, and some small doc changes 2022-02-15 11:19:49 -08:00
Mo Khan
29368e8242
Make the linter happy 2022-02-08 16:31:04 -05:00
Ryan Richard
cd825c5e51 Use "-v6" for kubectl for an e2e test so we can get more failure output 2022-02-08 13:00:49 -08:00
Monis Khan
8ee461ae8a
e2e_test: handle hung go routines and readers
Signed-off-by: Monis Khan <mok@vmware.com>
2022-02-08 11:40:10 -05:00
Mo Khan
1388183bf1
TestE2EFullIntegration: reduce timeout
This causes the test to timeout before concourse terminates the entire test run.
2022-02-07 20:53:03 -05:00
Ryan Richard
0431a072ae Remove an unnecessary nolint comment 2022-02-07 16:26:39 -08:00
Ryan Richard
aa56f174db Capture and print the full kubectl output in an e2e test upon failure 2022-02-07 16:17:38 -08:00
Ryan Richard
2b93fdf357 Fix a bug in the e2e tests
When the test was going to fail, a goroutine would accidentally block
on writing to an unbuffered channel, and the spawnTestGoroutine helper
would wait for that goroutine to end on cleanup, causing the test to
hang forever while it was trying to fail.
2022-02-07 11:57:54 -08:00
Margo Crawford
842ef38868 Ensure warning is on stderr and not stdout. 2022-01-20 13:48:50 -08:00
Margo Crawford
acd23c4c37 Separate test for access token refresh 2022-01-20 13:48:50 -08:00
Margo Crawford
38d184fe81 Integration test + making sure we get the session correctly in token handler 2022-01-20 13:48:50 -08:00
Margo Crawford
43694777d5 Change some comments on API docs, fix lint error by ignoring it 2021-08-26 16:55:43 -07:00
Margo Crawford
6f221678df Change sAMAccountName env vars to userPrincipalName
and add E2E ActiveDirectory test
also fixed regexes in supervisor_login_test to be anchored to the
beginning and end
2021-08-26 16:18:05 -07:00
Ryan Richard
3fb683f64e Update expected error message in e2e integration test 2021-08-16 15:40:34 -07:00